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Abstract 

Nishioka et al claim in [1], elaborating on their earlier paper [2], that the direct 
encryption scheme called Y-00 [3,4] is equivalent to a classical non-random additive 
stream cipher, and thus offers no more security than the latter. In this paper, we 
show that this claim is false and that Y-00 may be considered equivalent to a random 
cipher. We explain why a random cipher provides additional security compared to its 
nonrandom counterpart. Some criticisms in [1] on the use of Y-00 for key generation 
are also briefly responded to. 
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1 Introduction 

The direct encryption system called Y-00 or ar\ [3,4] uses coherent states to 
transmit encrypted information between two users, Alice and Bob, sharing a 
secret key. Nishioka et al claimed in [2] that the security of Y-00 was com- 
pletely equivalent to that of a classical non-random additive stream cipher. 
Although we rebutted this claim in [5], the authors of [2] have replied in [1] to 
the effect that we did not understand the claims made in their original paper, 
and that our reply was irrelevant. It is in fact true that some details of our un- 
derstanding of the claims in [2] differ from the purported clarifications of the 
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same provided in [1]. However, setting aside questions of clarity of the claims 
in [2], we understand their claims in [1] exactly and contend that the claimed 
equivalence of Y-00 to a classical non-random additive stream cipher is false, 
thus reiterating the conclusion of [5]. We provide arguments in this paper that 
conclusively demonstrate that Y-00 is not equivalent to a non-random cipher. 

In Section 2, we briefly review the Y-00 direct encryption protocol. In Section 
3, we describe the claims in [2] and [1]. In Section 4, we review the concept 
of a random cipher and describe why they are more secure than non-random 
ones against attacks on the key, thus highlighting the added feature that Y-00 
provides over a non-random cipher. We then rebut the claims in [1] and show 
why Y-00 is not equivalent to a non-random stream cipher. In Section 5, we 
briefly respond to the criticisms in [1] of using Y-00 with weak coherent states 
as a key generation system. 



2 The Y-00 Direct Encryption Protocol 



We review the Y-00 protocol, using the notations of [1] for easy reference. 

(1) Alice and Bob share a secret key K s . 

(2) Using a pseudo-random-number generator PRNG(.), e.g., a linear feed- 
back shift register, the seed key K s is expanded into a running key se- 
quence K = PRNG(K S ) = (K u . . . , K N ), with each block K, t E {0, 1, . . . , M— 

!}• 

(3) For each bit r\ of a plaintext sequence Rjv = (ri, . . . , r N ), Alice transmits 
the coherent state 

\^{K i ,r i )) = \ae^ K ^), (1) 

where a G R and 0(-FQ,r;) = [K^M + {r { © U(Ki))]7r. n(^) = or 1 
according to whether is even or odd. This distribution of possible states 
is shown in Fig. 1. Thus Ki can be thought of as choosing a 'basis' with 
the states representing bits and 1 as its end points. 

(4) Bob, knowing K iy makes a measurement to discriminate just the two states 
^(K^n)) and ^{K^n®!)). 

The probability that Bob makes an error can be made negligibly small by 
choosing the mean photon number S = \a\ 2 large enough. In particular, the 
optimal quantum measurement [6] for Bob has error probability 

Pe ~ \exp(-AS). (2) 
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Fig. 1. Left: Overall schematic of the an scheme. Right: Depiction of M/2 bases 
with interleaved logical state mappings. 

Eve, not knowing Ki, is faced with the problem of distinguishing the density 
operators p° and p 1 where 

P h = Y,^i K iM)^{KiM- (3) 



For a fixed signal energy S, Eve's optimal error probability is numerically seen 
to go asymptotically to 1/2 as the number of bases M — > oo (See Fig. 1 of 
[3]). The intuitive reason for this is that increasing M more closely interleaves 
the states on the circle representing bit and bit 1, making them less distin- 
guishable. Therefore, at least under individual attacks on each qumode, the 
Y-00 protocol offers any desired level of security determined by the relative 
values of S and M. 

One can also ask if Eve can obtain the key K s under a known-plaintext attack, 
thus compromising the security of future data. While the complete analysis of 
the security of Y-00 under known-plaintext analysis has not been performed, 
we can still make some remarks about the security that Y-00 offers against 
an attack involving a fixed measurement (e.g., a heterodyne or phase mea- 
surement) on each qumode followed by a brute-force trial of remaining key 
candidates. Indeed, a simple estimate of the noise in the phase measurement 
(which performs better than the heterodyne measurement) can be obtained 
by assuming that the noise moves the measured angle around the transmitted 
value uniformly within a standard deviation l/\a\ of the measurement noise. 
Then, it is seen that the number of possible bases N a consistent with the 
known bit b in each measurement is N a = M/(2ir\a\). Thus, the randomiza- 
tion provided by the quantum noise creates a search problem for Eve that 
would not be present if Y-00 was a non-random cipher. 
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3 Claims in Nishioka et al [1] 



Nishioka et al claim that Y-00 can be reduced to a classical non-random stream 
cipher under the attack that we now review. For each transmission i, Eve 
makes a heterodyne measurement on the state and collapses the outcomes to 
one of 2M possible values. Thus, the outcome j G {0, • • • , 2M— 1} is obtained if 
the heterodyne result falls in the wedge for which the phase 6 G [6j—7i/2M, 6j + 
7r/2M], where 9j = nj/M. Further, for q G {0, • • • , M- 1} representing the M 
possible values of each K^ Nishioka et al construct a function Fj(q) with the 
property that, for each i, and the corresponding running key value Ki actually 
used, 

F^ ) (K l )=r t (4) 



with probability very close to 1. In fact, for the parameters S — 100 and 
M = 200, they calculate the probability that Eq.(4) fails to hold to be 10~ 44 , 
which value they demonstrate to be negligible for any practical purpose. 

The authors of [1] further claim that the above function Fj^)(q) can always 
be represented as the XOR of two bit functions G^i){q) and where / •(<) 
depends only on the measurement result. Thus, they make the claim that the 
equation 

Ijd) = n 8 G j{i) (Ki) (5) 



holds with probability effectively equal to 1. They then observe that a classical 
additive stream cipher [7,8] (which is non-random by definition) satisfies 

h = r i © ki-, (6) 



where r^, and ki are respectively the ith plaintext bit, ciphertext bit and 
running key bit. Here, ki is obtained by using a seed key in a pseudo-random- 
number generator to generate a longer running key. The authors of [1] then 
argue that since in Eq.(5), like the in Eq.(6), depends just on the mea- 
surement result, the validity of Eq.(5) proves that the security of Y-00 is 
equivalent to that of a classical stream cipher. In particular, they claim that 
by interpreting / as the ciphertext, Y-00 is not a random cipher, i.e., it does 
not satisfy Eq.(7) of the next section. 

We analyze and respond to these claims and other statements in [1] in the 
following section. 
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4 Reply to claims in [1] 



First of all, we review the definition of a random cipher. Such a cipher is called 
a 'privately-randomized cipher' in [8], but we will call it just a random cipher. 
A random cipher is defined by the two conditions: 

H(Y N \K s ,R N )^0, (7) 



and 



H{R N \Y N ,K s ) = 0. 



(8) 



Here, Y N refers to the N— symbol long ciphertext and Rn and K s are the 
plaintext and secret key, as in section 1. Note that there is no restriction on the 
alphabet of Y^, which may be binary, M-ary or even continuous. Eq.(7) implies 
that, for a given key, the plaintext may be mapped by the encrypter into more 
than one possible ciphertext. However, it is still required that the plaintext 
can be recovered from the ciphertext and the key, which is the meaning of 
Eq.(8). The case where Eq.(8) holds but Eq.(7) does not is the usual case of 
a non-random cipher in standard cryptography. 

The advantage of a random cipher, which is briefly described in [5] but not 
appreciated in [1], is that it may be secure against attacks on the key in the 
case when the attacker knows the statistics p(Rn) of the data. In the case 
where the are independent and identically distributed, a random cipher 
can be constructed that provides complete information-theoretic security of 
the key [9], in the sense that H(K s \Yn) = H(K S ). Such security cannot be 
obtained with nonrandom ciphers [10]. See [10] for a detailed discussion on 
the security of random ciphers. Although we do not claim such information- 
theoretic security for Y-00, the possibility is not ruled out. We have already 
commented on the added brute- force search complexity of Y-00 against attacks 
on the key in Section 2. We now proceed to prove that the claim in [1] that 
Y-00 is reducible for Eve to a non-random stream cipher under a heterodyne 
measurement is false. 

To begin with, we believe that Eq. (4) (Eq. (14) in [1]) is correct with the 
probability given by them. The content of this equation is simply that Eve is 
able to decrypt the transmitted bit from her measurement data Jjy and the 
key K s . In other words, it merely asserts that Eq.(8) holds for Y N = J N . As 
such, it does not contradict, and is even necessary, for the claim that Y-00 is 
a random cipher for Eve. In fact, we already claimed in [4] and [5] that such 
a condition holds. In this regard, note also that the statement in Section 4.1 
of [1] that "informational secure key generation is impossible when ( Eq.(4) 
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of this paper) holds" is irrelevant, since direct encryption rather than key 
generation is being considered here. 

We also agree with the claim of Nishioka et al that it is possible to find 
functions 1^ and Gj(i)(q), the former depending only of the measurement 
result such that Eq.(5) holds, again with probability effectively equal to 
one. The error in [1] is to use this equation to claim, in analogy with Eq. (6), 
that Y-00 is reducible to a classical stream cipher, and hence non-random. 

To understand the error in their argument, note that, for Eq. (6) to represent 
an additive stream cipher, the U in that equation should be a function only of 
the measurement result, and ki should be a function only of the running key. 
While the former requirement is true also for the in Eq. (5), the latter is 
certainly false for the function Gj{i){Kj) in Eq. (5), since it depends both on 
the measurement result and the running key K { . Indeed, it can be seen 
that the definition of the function F^ %) [K,^ and thus, G f J -(»)(?) depends on the 
sets Ctty and Ct^ defined in Eq. (12) of [1]. The identity of these sets in turn 
depends on the relative angle between the basis q and Eve's estimated basis 
jW = jW mod M. Thus, it is clearly the case that G^i){Ki) must depend both 
on j'W and K i: a fact also revealed by the inclusion of the subscript j'W by the 
authors of [1] in the notation for G. 

We have shown above why the representation of Y-00 via Eq. (5) is not equiv- 
alent to an additive stream cipher. The question may be raised, however, if 
Eq. (5) reduces Y-00 to any kind of nonrandom cipher whatsoever. We will 
show below that the answer is negative. Indeed, Nishioka et al emphasize that 
Y-00 is nonrandom because 

H(L N \R N ,K,) = (9) 



holds, where = (IjW, ■ ■ ■ , Ijw). This equation follows from Eq. (5) and 
so by considering Ljv = Yn to be the ciphertext, the Eq.(7) is not satisfied, 
thus supposedly making Y-00 nonrandom. The choice of Ljy as the ciphertext 
is supported by the statement in [1] that "It is a matter of preference what 
we should refer to as "ciphertext" ." This is not true without qualification. It 
ignores the crucial point that the random variable that is chosen as cipher- 
text must be sufficient to decrypt to the corresponding Rn for every value of 
the key. We will show below that, for Y-00, the ciphertext alphabet needs to 
be atleast (2M)-ary, although larger, even continuous alphabets (such as the 
possible values of phase angle in a phase measurement or the two quadrature 
amplitudes in a heterodyne measurement) may be used. Thus, if one wants 
to claim equivalence to a classical cipher (random or non-random), for a par- 
ticular choice of ciphertext Yn, one must show that Eq. (8) is satisfied using 
that same ciphertext Y N . In the case where Yn = Ljv, one may readily see 
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that Eq. (8) is not satisfied, i.e., if (Rjv|Ljv, K s ) 7^ 0. The reason is that, as we 
noted in our description above of the function Gr,-(o(g), decrypting requires 
knowledge of certain ranges in which the angle between the basis chosen by the 
running key and the estimated basis j'W falls. To convey this information for 
every possible one needs at least log 2 (2M) bits. It follows that the single 
bit is insufficient for the purpose of decryption, and so Eq. (8) cannot be 
satisfied for = Ljy. Therefore, we conclude, that in the interpretation of 
Ljy as the ciphertext, decryption is not possible even if Eve has the key K. s . 
Indeed, it is Jn that can be regarded as a possible ciphertext, since Eq. (8) 
is satisfied for Y N = J N . The fact that J N is a true ciphertext sufficient for 
decryption is implicit in the dependence on j'W of the function G in Eq. (5). 
However, with this choice of ciphertext, Y-00 necessarily becomes a random 
cipher, because H(3n\Hn, K s ) 7^ - this latter fact is admitted by Nishioka 
et al in [1]. 

We hope that the discussion above makes it clear that the 'reduction' of Y-00 
in [1] to a non-random cipher is false, and that in fact, no such reduction 
can be made under the heterodyne attack considered in [1]. However, the 
representation of ciphertext by — Jjv does reduce it to a random cipher 
under the heterodyne attack. As a result, it can be implemented classically 
in principle, but not in practice. This is because true random numbers can 
only be generated physically, not by an algorithm, and the practical rate for 
such generation is many orders of magnitude below the ~ Gbps rate in our 
experiments where the coherent-state quantum noise does the randomization 
automatically. Furthermore, our physical "analog" scheme does not sacrifice 
bandwidth or data rate compared to other known randomization techniques. 
See [10] for a detailed discussion. 

We conclude this section by responding to some other statements made in [1]. 

In Section 3,2, Nishioka et al state that "It is interesting to note that a smaller 
M (but not M—l) is preferable for increasing the stochastic property." Here, 
they mean that the decryption using J jv and the key is noisier for smaller M. 
We claim that this cannot be the case and that the decryption probability is 
essentially independent of M. In any case, for the heterodyne quantum noise 
to cover more states on the circle, it is clear that a larger M is preferable (See 
our discussion in Section 2). 

In Section 3.3, Nishioka et al claim that "The value of lj«) does not have to be 
the same as that of l-^) when i 7^ i', even if j(0 = j(0 holds." This statement 
is in direct contradiction to their previous statement in the same subsection 
that u lj(i) depends only on the measurement value j® n . 

In the same subsection, Nishioka et al claim that "In ([2]), we showed another 
concrete construction of L(o In our opinion, there was no explicit con- 
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struction of Im) in that paper, which to us seemed quite vague. We were led 
to the choice of U described in [5] by the attempt to make the additive stream 
cipher representation Eq. (6) valid. In fact, such a representation is claimed 
by Nishioka et al in their Case 2 of [2]. It turned out, however, that decryption 
using that k suffered a 0.1 — 1% error depending on the value of S used. See 
[5] for further details. In any case, as we have shown above, no construction of 
a single-bit from the heterodyne measurement results can satisfy Eq. (8) with 
the extremely low probability given in [1]. 



5 Remarks regarding Key Generation using Y-00 

In [5], we replied to the claim that information-theoretically secure key gener- 
ation is impossible for Y-00 by showing a 6 dB advantage that the users have 
over Eve launching a heterodyne attack. This advantage can be used for prac- 
tical key generation using a small enough value of S. This is acknowledged in 
[1], thus validating our claim that it is indeed possible. However, the new issue 
is raised in [1] that this advantage is too small to allow Y-00 to generate keys, 
in their example, over a distance of 50 km. In this connection, we merely wish 
to state that, (i) this is not the original issue under dispute and we do not wish 
to bring a new issue into the present discussion; (ii) similar loss limits are also 
present for BB84; (hi) other techniques and schemes are already discussed in 
[4] to overcome this distance limit. 



6 Conclusion 

We have demonstrated that, under a heterodyne measurement, the Y-00 Di- 
rect Encryption protocol cannot be reduced to a classical non-random stream 
cipher, as claimed in [1]. Its security under heterodyne attack is equivalent to 
a corresponding random cipher. 
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